Feds Plan to Investigate Small-Scale Healthcare Data Breaches

The HHS Office for Civil Rights, which enforces rules surrounding HIPAA, has announced it will investigate breaches of protected health information affecting fewer than 500 individuals.

In September 2015, the HHS Office of Inspector General recommended that OCR begin posting smaller data breaches on its public web site, and OCR now is doing that. The site previously only listed breaches affecting 500 or more individuals.

In the announcement, OCR cited five recent settlements with covered entities that had smaller breaches; the settlements included financial fines and imposition of corrective action plans. But some of these smaller breaches are not recent, highlighting settlements reached one or more years ago.

The settlements included Catholic Healthcare Services of the Archdiocese of Philadelphia ($650,000 on June 29, 2016), Triple-S Management Corp. ($3.5 million on Nov. 30, 2015), St. Elizabeth’s Medical Center in Brighton, Mass. ($218,400 on July 10, 2015), QCA Health Plan ($250,000 on April 22, 2014), and Hospice of North Idaho ($50,000 on Jan. 3, 2013).

It’s not surprising that OCR now has formally announced more aggressive reviews of smaller breaches, says Thad Phillips, a principal consultant at tw-Security, a consultancy. In 2013, Leon Rodriguez, then director at OCR, warned covered entities that regardless of size, providers needed to better protect patient information and said OCR would expand investigations of smaller breaches, Phillips says.

HIPAA settlements that include fines along with correction action plans will continue, Phillips believes. If OCR wants to expand its audit program across the nation and conduct more expansive investigations of smaller breaches, it will need more resources.

“They’re sending another warning shot, but a lot louder,” he notes, adding he would not be surprised if the agency outsourced some OCR investigations to contractors to support intentions to conduct more audits. “I think they’re going to start big and stay big.”

Margret Amatayakul, president at security firm MargretA Consulting, says its interesting that OCR is targeting smaller breaches for more extensive investigation. Under HIPAA, these breaches must be reported in an annual report, not as they happen.

“I have HIPAA risk analysis clients that have never had or at least never reported small breaches, whereas I believe they probably have had small breaches and may not be aware of them or the reporting requirement,” she says. “I have a couple of clients who report every single breach throughout the year—even in cases where I don’t think they are breaches and don’t need to report them.”

What’s important about the new OCR focus, Amatayakul notes, is that closer examination of smaller breaches could bring trouble that would have happened earlier with small breaches. “If I were OCR, I’d look at organizations that have had a lot of small breaches as potential targets for investigation.”

Another well-known healthcare security consultant, Kate Borten at Marblehead Group, sees OCR’s new approach as reasonable. “OCR had to prioritize its investigative resources, so initially focusing on larger breaches made sense. Hopefully now, their investigations are more routine and can be conducted more efficiently. Hence, OCR now can broaden the scope to include certain critical smaller breaches.”